blackmoon | 6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe
Size

424KB
MD5

72df9a789b11401cdcdc39c911412d04
SHA1

124aede96d2acfccb5e197c02f8b5d856d174298
SHA256

6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051
SHA512

17aa3adcc42799796662ed30dad0c26b773e3ff26b36c5374825a09c777c703aab31dde29222d3f255acce860273d7355aa023d6eac5c8f361b1d59f55af539a
SSDEEP

6144:K5/YZ58drqrhGcbLhmvjSN6jZhixVK/B/zIydenCH:K5/Q58drihGiLhmGNiZsx0B/zIkenCH

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral2/memory/4916-132-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4916-133-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/files/0x000200000001e78c-135.dat	family_blackmoon
behavioral2/files/0x000200000001e78c-136.dat	family_blackmoon
behavioral2/memory/4392-137-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4916-142-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon
behavioral2/memory/4392-146-0x0000000000400000-0x0000000000469000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

pid	Process
4392	Sysceamzbvws.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4916-132-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4916-133-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/files/0x000200000001e78c-135.dat	upx
behavioral2/files/0x000200000001e78c-136.dat	upx
behavioral2/memory/4392-137-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4916-142-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4392-146-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe
4392	Sysceamzbvws.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4392	4916	6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe	88
PID 4916 wrote to memory of 4392	4916	6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe	88
PID 4916 wrote to memory of 4392	4916	6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe	88

C:\Users\Admin\AppData\Local\Temp\6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe
"C:\Users\Admin\AppData\Local\Temp\6edf2c0706ff9d823618724790dbc936af936992727953122172b3f703df0051.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\Sysceamzbvws.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamzbvws.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86289DDB9DCDB7A9CB80977D1B95D288

Filesize
779B

MD5
fa238ec1516a0cbb877b31b975cf9051

SHA1
ee49a2e199ccb1146e5ec9596e310f6a4e3e1e27

SHA256
1991571c918d70e8cb40161acf8e62c31b085793cc272da6860a36dcf000572f

SHA512
8f0b28a0002781cc2dca26dd7ee154c6ef9a1b64e4667fc73d6c0926d55593100cf7c3ef29a76bd9b9344d2591edea60c4792e175f130ba9ee405aea4546200a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0CE04D811AECE4E524A767887569BABA

Filesize
471B

MD5
d182bac939c23fa8f7cd9a7943aaee61

SHA1
b9fa236d420e0ff1a337a45506ab09e01385d136

SHA256
492a88855c91809d4d6bd1327a21791415f33bd8eb2f0895b680f0b888a450ef

SHA512
d7e8bce234ae0e6b297561ec8391e66301ea9ad10621dfaca7c62f92315207a163a8ccf3409ccb6462d69fbc24f244fce9aa49130e23ed8e97b54333a4d49111

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_C209209F8D7D5B13D46B58A893729EAF

Filesize
471B

MD5
deff2484c101ecb294b4d379393f3553

SHA1
239818fadf9dd7a127f1451f4d2cbb6c02068847

SHA256
f4427e7459f8ff91cd71d8f13e70eb0d5350443c000044d77ff6d81f9fe46637

SHA512
3a4cba0c32cdc6a03f1902dd2181cda9ea94b460ddaeeea51edb4fb3e13c6d84f4227c78cbce14e89cdd30358690b41b5ceb56b74bacf7f0bb4320de4a676d25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86289DDB9DCDB7A9CB80977D1B95D288

Filesize
242B

MD5
76881508449511000bf8f56601fa4b78

SHA1
e8d22e0c6347b00896d6902dfba8de5fb9f27969

SHA256
b78af884e7c980714067ae417381ef4fbf5e2ba67827b6526bff1277c00b3ef4

SHA512
33b6214cf4b80bbf13946c36457497c41dae2d0259d2bf1d6812d874fe5cf9882f1118189bfb7232d46cbcf03567cab745adcdfa70b0936d4b372f0d85eb4511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0CE04D811AECE4E524A767887569BABA

Filesize
432B

MD5
7965e96a4f83f455b6b0543ae8755954

SHA1
43a879fe327112703ef46cc568ea30fb8c741faa

SHA256
589eae33cc990ab7e3de8b7580f0ac2895b3af7096d91f31fec0c34cdacc883c

SHA512
e9c019f42f34d4cc696cd5a0496cacc87cc7ba3d0a03b0d1018a07678f112d055f60df63f8bb2f8b7570788b0ffedb02f05beb7f52069c614f47cfff79888bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_C209209F8D7D5B13D46B58A893729EAF

Filesize
428B

MD5
6a1be42b613cf054bf483ec7a98543a0

SHA1
227dbb4e3e1b3aa4c09c6501f630812722d50f50

SHA256
c8905da2c17755c574d15a26cbc5bfc79e03c1cded334d32e0eaee51daa09240

SHA512
9e9313e6bcc584f0d9b40f56ec9ab13a5ff156a01f9c08077d22b8fea9fb0be6ce0e76e1a1db8d41edc0c964e353c82504d01d9664d9c11bac7f3d260985af27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamzbvws.exe

Filesize
424KB

MD5
30c68cf09236842a3aa05def0bcd1b1b

SHA1
827cc9d603f88f95043b3f17179a6e9070e2353c

SHA256
ef83ac469b4a1826135c17a19f8e19de4f329d0eaf20fac070df7763fe905292

SHA512
4cf61a98803696f642a7dcd110f06b260829254f2b4e6f54142311cda68af2d44e1c0b36aa9fa748a5ac9a96d08be230f5b2c1d53c13826d799f3aa942fb82c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamzbvws.exe

Filesize
424KB

MD5
30c68cf09236842a3aa05def0bcd1b1b

SHA1
827cc9d603f88f95043b3f17179a6e9070e2353c

SHA256
ef83ac469b4a1826135c17a19f8e19de4f329d0eaf20fac070df7763fe905292

SHA512
4cf61a98803696f642a7dcd110f06b260829254f2b4e6f54142311cda68af2d44e1c0b36aa9fa748a5ac9a96d08be230f5b2c1d53c13826d799f3aa942fb82c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
e784586486a39f4158bb3b15620245d1

SHA1
f3b53299b13bfd5c9dea2874c7b206484260e3ae

SHA256
479ea26c00c1ad03afa4a7fafb92796a5e301569fd2ddee533c3578de506a74d

SHA512
17663a827792b4e053eef08b6480b69e6ed084adf17f9ecd5e59df7420ce9fb2bf060f0e03cf426eb33bb2a7bb66551ecf553ce8ee943a003e7ba69398fbdbe7

Download Submit
memory/4392-137-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4392-146-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4916-132-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4916-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4916-133-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download